enterasys network access control - hlavní stránka
TRANSCRIPT
“There is nothing more important than our customers”
Enterasys Network Access Control Enterasys Network Access Control Enterasys Network Access Control Enterasys Network Access Control
ČIMIB konference 11.2 Praha
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 2
What is NAC ?What is NAC ?What is NAC ?What is NAC ?
• A User focused technology that:
- Authorizes a user or device (PC, Phone, Printer) and
- Permits access to resources based on identity authentication of the user (and/or device) as well as based on the security posture of the device along with location and time
- The parameters are set in the so called Pre-Connect Assessment (aka Health Check) , i.e. before connecting to the infrastructure
- However, during normal operation, regular checks should be conducted as part of the Post-Connect Assessment
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 3
Corporate ®ulatory
compliance
Can I enforce these regulations prior to granting network access?Do I have reporting and auditing tools to verify compliance?
NAC NAC NAC NAC –––– Why care ?Why care ?Why care ?Why care ?
Networkusage
Who is using the network infrastructure?Are these users authorized?Does access correspond to organizational role?
Workstationsecurity
Does system have up-to-date OS patches?Does every system conform to corporate security standards?
Guestusers
Does a guest system contain threats?Can I limit access for guest users?
Non-workstationend systems
Is this device what it claims to be?Can I assess its security posture?Can I locate rogue access points, hijacked print servers etc?
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
NAC NAC NAC NAC –––– continuous business protectioncontinuous business protectioncontinuous business protectioncontinuous business protection
• Ensures health and compliance prior to allowing network access
- Agent and network based assessment
• Provides appropriate access (to assets and QoS) based on organizational role
- Policy or VLAN assignment options
• Supports guest access, sponsored access and end system / user tracking
- Track user name, IP, MAC, location, etc.
• Ensures continuing health and compliance after connection
- Continuous monitoring with IDS, NBAD, SIEM
• Automatically contains detected threats
4
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
NAC Business Drivers/TrendsNAC Business Drivers/TrendsNAC Business Drivers/TrendsNAC Business Drivers/Trends
A Leading sales “door opener”, Big Hype!
Drivers: Compelling!
• Compliance
• Security/risk mitigation
• Guest access
Trends: Confusion!
1.Trusted Network Computing/Trusted Network Group (TNC/TNG)
2.Cisco Network Admissions Control (C-NAC)
3.Microsoft Network Access Protection (MS-NAP)
4.IETF-NEA (International Engineering Task Force – Network Endpoint Assessment
5
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 6
Policy Enforcement OptionsPolicy Enforcement OptionsPolicy Enforcement OptionsPolicy Enforcement Options
Access 3. Scan/Authentication Request 4.
Policy Assignment 6.
Threat Assessment 5.
RADIUSServer / Directory
NetworkInfrastructure
Access DeviceClient SystemUser
NAC Gateway(Proxy RADIUS, out of band)
Policy Role Creation 1.VLAN Creation (3rd Party) 1.1
NetSight™Policy Manager /NAC Manager NAC Gateway
Configuration 2.
Kernel
Syscall Table
1) sys_open()2) ...3) ...4) ...5) ...6) ...7) ...8) ...9) ...10) ...11) ...12) ...13) ...14) ...15) ...
Userland
New security layer in the core
• Switch-based (with true Out-of-Band Appliance): the best solution for NAC in a LAN is implementation of access switches that support 802.1x authentication and policies
• Inline-Appliance: Achieve a faster implementation of a NAC solution; often a transition solution to a switch based NAC solution. The access switches can continue to be used; in very heterogeneous environments which might contain “older” switches this a very good solution
• Out-of-band Appliance: This method initially appears to be very attractive but it has its difficulties, particularly in the following areas:
- Recognition of new end systems
- Reconfiguration of access switches in assessment and quarantine
- Granularity in assessment and quarantine
- Scalability
• Software-based: Enforcement at the agent level permits very precise control in quarantine cases. These solutions can easily be combined with network based solutions
• DHCP, IPSec based
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
NAC NAC NAC NAC –––– take End System Diversity into accounttake End System Diversity into accounttake End System Diversity into accounttake End System Diversity into account
40000
30000
20000
10000
0
2000 2002 2005 2008
Production Systems
RFID InventorySecurity Video
Building Control
Multi-Modal Devices
IP Phones
Office ProductivityConferencing
Server
PC Desktop
Laptop
Lege
nd
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 8
ExampleExampleExampleExample
1X
, M
AC
, W
EB
PEPPolicy Enforcement Point
802.1X
Enterprise user
Guest user
Enterprise user
Enterprise devices
(printers, cameras...)
?
RADIUS ADS
Important assets
Free for all
(Internet)
VoIP phone
Let‘s put it into a different VLANMh, it doesn‘t
speak 802.1x
Uh-oh!How do we destinguish
them?
I need to access our assets
May I use your Internet
connection?Uhm,
802.1...what?
Hey, we both don‘t know what I am, but people want to talk to
me..
Mh, what to do about all those
different devices?
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 9
Example SolutionExample SolutionExample SolutionExample Solution
•We implement…
- Multi-user authentication (allows multiple devices per port)
- Multi-method authentication (Web, MAC, 802.1x, Kerberos snooping..)
- Port based policies
- Role based policies
•We get...
- Vendor independency
- Client capability independency
- Precise communication restrictions (guest and enterprise use)
- Preserve device mobility where needed
- Central management
- Device/User inventory data
1X, MAC, WEB
PEPPolicy Enforcement
Point
VoIP Phone Guest User
Enterprise Devices
(printer, cameras...)
?
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
The Solution The Solution The Solution The Solution ---- NACNACNACNAC
•Enterasys NAC solutions will fit the following topol ogies:- LAN
- WLAN
- VPN
- Remote Branch
•Enterasys’ focus is on pre-connect and post-connect NA C solutions- Switch based
- Inline Appliance based NAC Controller
- “True” out-of-band Appliance based NAC Gateway
•Enterasys will leverage standards and provide open API´ s whereever possible, whenever necessary
Enterasys Provides Choice
© 2008 Enterasys Networks, Inc. 10
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
The Solution The Solution The Solution The Solution –––– How We Position OurselvesHow We Position OurselvesHow We Position OurselvesHow We Position Ourselves
© 2008 Enterasys Networks, Inc. 11
Enterasys
NAC
Gateway
Enterasys
NAC
Controller
Directory
MS-NPS
RADIUS
SIEM
802.1X
MS
AGENT
1X
, M
AC
, W
EB
LDAP
EAP-PEAP [TNCCS-SOH]EAP-TLS
HEALTH CHECK
XML_
API
802.1X
IF-M
AP
PEP and PDPPolicy Enforcement Point
Policy Decision Point
Kerberos
Location
Asset Management
Policy provisioning
and assignmentEnterasys
AGENT
XML API
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
NAC/VOIP Integration via SOANAC/VOIP Integration via SOANAC/VOIP Integration via SOANAC/VOIP Integration via SOA
12
The solution developed by Siemens Enterprise Communications and Enterasys is an important
component to protect real-time applications, like voice and video, over a converged IT
infrastructures. Features supported:
•Automatic Inventory Reduces risk of operation of non-compliant end-devices with invalid
configuration or software release.
• Automatic Adaptation Location-based configuration of end-devices and usage of special
functionalities (e.g. configuration of speed dial button)
•IP Phone monitoring Detecting non-compliant and compromised end-devices
•Automatic fault-alerting & error-correction Automatic generated fault information and
notification for fast and effective error-correction
•Automatic authorization Warranty of secure, reliable and high-quality operation of real-time
applications through automatically assigned QoS-parameter and security mechanism
Finally the use of this solution provides the following value add:
•Reduces administrative effort and costs
•Increases protection and reliability of real-time applications
•Minimizes the risk of attacks and the probability of outage
•Increases compliance to enterprise’s security policies
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 13
wiredLAN
SiemensSiemensSiemensSiemens
HiPath DLSHiPath DLSHiPath DLSHiPath DLS
EventEventEventEvent----basedbasedbasedbased
synchronization of data-
bases via API: IP phone,
phone number, switch,
switch-port, building, room
NACManager
HiPath HiPath HiPath HiPath
PlatformPlatformPlatformPlatform
Enterasys NAC
Appliance
Database with physical infrastructure / cabling - wall-socket - Building- Room
Enterasys NAC / Siemens HiPathEnterasys NAC / Siemens HiPathEnterasys NAC / Siemens HiPathEnterasys NAC / Siemens HiPath
12345 10.1.1.10 xx-xy-yy-yz-zz-az Access 1 10.9.9.8 fe.0.15 B. A 130 3 4.2.4 2008.03.04
34567 10.1.1.18 aa-bb-cc-dd-ee-ff Access 2 10.9.9.9 fe.1.8 B. B 241 1 4.2.4 2008.03.04
56789 10.1.1.25 ab-cd-ef-gh-ij-kl Access 3 10.9.9.10 fe.2.21 B. A 412 2 4.2.2 2008.02.21
Phonenumber
Phone IP Address
Phone MAC Address
Switch-name
Switch IP Address
Switch-port
Building Room Wall jacket PhoneSoftware
PhoneConfiguration
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
NAC ControllersNAC ControllersNAC ControllersNAC Controllers
• Provides Network Access Control in any 3rd party environment
- No replacement of existing infrastructure required
- Not dependent on 3rd party switch capabilities
• Implements NAC for any access method
- Wired LAN switch deployments
› Within layer 2 domain
› Across layer 3 boundary
- Wireless
- VPN (e.g. IPSec, SSL)
• Pre and post assessment capabilities in a single appliance with dragon integration
Wired LAN
EnterpriseNetwork
WirelessSwitch
Wireless LAN
EnterpriseNetwork
Remote Access (VPN)
EnterpriseNetwork
Inline NAC Appliance
Inline NAC Appliance
Inline NAC ApplianceVPN
Concentrator
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
NAC in NAC in NAC in NAC in AnyAnyAnyAny EnvironmentEnvironmentEnvironmentEnvironment
•Hybrid deployment- Best of both models for mixed environments
- Single, integrated solution – seamless management from single system
© 2008 Enterasys Networks, Inc. 15
EnterpriseNetwork
Enterasys Policy capable switch
RFC3580 capable switch
RFC3580 capable Wireless Access PointNAC Gateway
Core EdgeDistribution
Non-intelligent Wireless
VPN
Non-intelligent edge switches
Shared Access LANNAC Controller
NAC Manager
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 16
MUA&P Logic
802.1X
PWA
MAC
RA
DIU
S A
uthority
Dynamic Admin Rule
DFE
802.1X Credentials
PWA Credentials
802.1X Login
Filter ID � Policy Sales
SMAC = Anita
SMAC = BobPWA Login
SMAC = TedAny Traffic
MAC Credentials
Filter ID � Policy Engineering
Dynamic Admin Rule
Dynamic Admin Rule
Port X
Filter ID � Credit
Policy Sales
Policy Credit
Policy Engineering
• Up to 2000 user per system
• Different authentication methods (in random combination per port/user)
- 802.1x, PWA (Web), MAC authentication, Radius, Ker beros, Default Role ....
• Single physical interface
MultiMultiMultiMulti----user Authentication and Policyuser Authentication and Policyuser Authentication and Policyuser Authentication and Policy
NAC Controller
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
Roles, Services , RulesRoles, Services , RulesRoles, Services , RulesRoles, Services , Rules
NetworkAdministrator
GuestOffice Non-Office
Deny RIP
Deny OSPF
Deny Apple
Deny IP
X
Deny DHCP Reply
Deny IP
Range
Allow DNS
Allow DHCP
Allow HTTP
Deny ALL
Deny SNMP
Deny Telnet
Deny TFTP
Drop Apple
Drop IP
X
Drop DecNet
Deny FacultyServer Farm
AdministrativeProtocols
Acceptable UseLegacyProtocols Internet Only
Authorization – roles & rules
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
Guest Access Solution with sponsoringGuest Access Solution with sponsoringGuest Access Solution with sponsoringGuest Access Solution with sponsoring
- End-User Authentication› End user must enter a valid username and password to
successfully register a device
› Username/password validated against a backend LDAPserver (e.g. MS Active Directory, OpenLDAP, etc.)
- Sponsored Registration› End user must be in the presence of a
trusted employee (i.e. sponsor) to successfully register a device
› Sponsor username/password validated against backend LDAP server, OR sponsoraccounts configured in NAC manager
- MAC Reg Web Admin Interface› Supports bounded visibility and
control into MAC Reg system- View, edit, add, delete registered end systems
- Useful for HelpDesk access into systemwithout mandating HelpDesk access toNAC manager
› “Sponsor Web Admin” Interface is supported so sponsors can view, edit, delete, add their end systems
NAC
Gateway
functions
NAC
Controller
1X
, M
AC
, W
EB
IT Admin
SponsorGuest
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 19
NonNonNonNon----compliant asset on the networkcompliant asset on the networkcompliant asset on the networkcompliant asset on the network
User laptop
Role = quarantine
Compliance check
4
3
NAC gateway(out-of-band appliance)
or ENAC controller (used in out-of band)
Assessment server (optionally included in NAC gateway with
ITA )
Enterasys NAC Manager
1
EnterasysMatrix ®/SecureStack™ switch
Role = quarantine
Role = quarantine
How it works How it works How it works How it works –––– prepreprepre----connectconnectconnectconnect
3rd party switch like Cisco Catalyst
(if RFC 3580- compliant )
VLAN = quarantine 12
3
Pre-connect NAC functions� Detect� Authenticate� Assess� Authorize� Remediate
Authentication server
2
4
5
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 20
SummarySummarySummarySummary
• NAC is still a volatile technology.
• Pick wisely a open and scaleability architecture
• Define all of your requirements before you select t he solution
• Insist on open API ´́́́s for efficient IT workflow integration
• NAC is about technology but also about organization
• Enterasys can offer you a solid, scableable and ope n architecture to adress all of these items
© 2008 Enterasys Networks, Inc. All rights reserved. Confidential
Thank you